Once More into the Breach | By Steve Viuker
JP Morgan Chase and numerous other financial entities were hit with a cyber breach, discovered in July and disclosed in August, at which time the bank estimated that 1 million accounts had been compromised. In early October, the scope of the breach was made public, and an estimated 76 million households and 7 million small businesses were affected.
The attack was more serious than was apparent at first. Financial information was not compromised and there had been no breach of login information such as account or Social Security numbers, passwords or dates of birth. But the names, email addresses, phone numbers and addresses of account holders were exposed.
In August, Bloomberg reported that the attack on JP Morgan had been linked to Russian hackers, who FBI sources said had been able to extract “gigabytes of sensitive data.” Recently, Jamie Dimon, JP Morgan CEO, told shareholders the bank would employ 1,000 people to oversee its systems.
Andrew Bagrin, CEO and founder of My Digital Shield, explained: “The first step of avoidance is awareness. You need to know where you stand today and what your security posture is.” Security audits can take many forms, from an elaborate, extremely expensive security audit “that will give you an extreme amount of detail and keep you busy for a year.” The second step is to evaluate and take action on the information to improve the institution’s security. Because of the variety of security solutions and its ever-changing nature, institutions which lack a dedicated security staff should choose solutions that do not require continuous maintenance and management – “otherwise you will be out of date and no longer secure very quickly,” he said. (Bagrin pointed to a 30-second test on www.shieldtest.com as a first step.)
Lloyd’s of London CEO Inga Beale expects the market for cyber insurance to surge. “Cyber is a new risk and it is a concern,” Beale said in an interview with Bloomberg Television. “Lloyd’s is at the heart of cyber attacks, providing coverage right now. It’s going to grow dramatically with all the high-profile hacking incidents.” Beale’s comments echo that of Tom Ridge, the first U.S. homeland security chief under President George W. Bush. His new insurance company has teamed up with five syndicates at Lloyd’s including Brit Plc (BRIT) and Aegis London. Marsh & McLennan Cos. estimates that the U.S. cyber insurance market could double this year to $2 billion in gross written premiums from an estimated $1 billion in 2013. In Europe, the market is estimated to be less than $150 million, rising by 50 percent to 100 percent annually.
“Traditional liability policies do not address cyber/privacy exposure,” said Robert Muenzberg vice president of sales at McGrath Insurance Group Inc. “The industries most impacted by the threat of cyber/privacy liability are financial services, health care and retail, but all businesses that handle any personally identifiable information or financial information of others, and that are active on the Internet, have potential exposure to cyber-liability.”
Richard McGrath, principal at McGrath Insurance, noted that data theft is not the only cyber-risk that businesses should prepare for. Heavy reliance on technology for business and personal use exposes businesses of all sizes to cyberthreat risk. “Experts in the field believe that cyber threats are just as serious, and possibly more dangerous, than other catastrophic events,” he said.
Cyber risk is a reality, and just like any risk, businesses must find a way of managing this new exposure, he said. “By developing policies and procedures to identify and address the vulnerabilities in your system, you are preparing for what all businesses inevitably will face: a cyber security breach.”
Brian Lozada, director of information security, Abacus Group said the Chase breach “didn’t surprise me. It was a matter of time. These recent events are raising an awareness that cyber needs to be brought to the table on an executive level. Obviously, Russia isn’t going to admit they were involved. But they had the motive and they used cyber to get their message across. This was about the sanctions regarding Ukraine.”
“The $250 million that Chase will spend on cyber security is a major commitment, but how they allocate it is the next step,” said Lozada. “Any industry that is processing or storing consumer information is a target. Information is leverage. You need to identify your sensitive assets and all your third parties that have connections into your network or that you share sensitive information with. Target had their HVAC contractor have their credentials compromised and used to access the network.”
Russell Stern, CEO of Solarflare, saw firsthand what Chase is up against. “Last month, I attended the Chase tech summit in Menlo Park. Cybersecurity for most financial institutions seems to have an endless budget. The challenge for the banks is the evolution of cyber threats moving from hackers being disruptive to state-sponsored terrorist threats. The most attacks are generated from China and the United States is the number one receiver. The second country of origin is the United States and the second receiver is China.”
Indeed, as Banking New York went to press, Reuters reported that the FBI warned U.S. businesses that hackers it believes to be backed by the Chinese government have recently launched attacks on U.S. companies. The document said that the agency recently obtained information regarding “a group of Chinese Government affiliated cyber actors who routinely steal high-value information from U.S. commercial and government networks through cyber espionage.” FBI spokesperson Josh Campell said, “The FBI has recently observed online intrusions that we attribute to Chinese government affiliated actors. Private sector security firms have also identified similar intrusions and have released defensive information related to those intrusions.”
“As for Chase, they just hired someone from the intelligence industry to head up cyber security,” said Stern. “To me, that is a sign to look at this differently than in the past. Chase was hit, in part, because of what they represent. But that doesn’t mean Bank of America or the other institutions aren’t in danger. Security devices tend to focus on perimeter security. A firewall is an example. It is like a security guard. Once you get past the guard, everything in the environment is open. If I can assemble a threat, I can get data out. At Solarflare, we can take security elements and drop them into every server in the environment. We are able to distribute security policy at every end point. This is like a war. You need layers of defense protecting you.”■